January 27, 2016

HIPAA, Part II: When Providers Hide Behind a ‘Code of Silence’

Mary MahoneyBY Mary Mahoney

J. Robinson Group Blog

HIPAA, the Health Insurance Portability and Accountability Act of 1996, governs the use of personal health information. When a patient is asked to sign a Notice of Privacy Practices at the hospital or doctor’s office, for example, they acknowledge having read regulations that allow their medical records to be disclosed to several entities, from a health insurer and well-meaning relatives to, possibly, a co-worker or acquaintance.

man with bandaids across mouth

Not everyone is bound by HIPAA’s privacy and disclosure requirements. But those who are deemed to be covered entities must follow certain rules. Nevertheless, many health-care providers, including both people and institutions, have been found to use HIPAA as a blanket cover-yourself-from-liability tool.

A July 2015 story in The New York Times, aptly headlined “HIPAA’s Use as Code of Silence Often Misinterprets the Law,” cites examples of health-care providers who refuse to accept information about a hospitalized patient from a relative about the patient’s allergies to medications. In fact, there is no rule against sharing that information.

Behavioral health is one area where the privacy issue can be particularly sensitive. In June 2015, House Representative Doris Matsui, D-California, introduced a bill called Including Families in Mental Health Recovery Act 2015. It is really more of a reminder that the Privacy Rule, in fact, allows for much more leeway than is generally thought. The U.S. Department of Health & Human Services website FAQ suggests some pretty broad loopholes:

“Q: Does HIPAA allow a health-care provider to communicate with a patient’s family, friends or other persons who are involved in the patient’s care?

“A: Yes. In recognition of the integral role that family and friends play in a patient’s health care, the HIPAA Privacy Rule allows these routine – and often critical – communications between health-care providers and these persons.  Where a patient is present and has the capacity to make health care decisions, health-care providers may communicate with a patient’s family members, friends or other persons the patient has involved in his or her health care or payment for care, so long as the patient does not object.  See 45 CFR 164.510(b).”

The Health & Human Services site goes on to list many other cases where a covered entity may disclose information. Cover entitles include health insurance companies, labs that test blood and radiology departments that conduct X-Ray and other tests. Some patients don’t realize that these covered entities may also disclose their mental-health condition to a friend or relative.

The sort of all-purpose privacy exemption clause called “for Notification and other purposes” permits a covered entity to disclose to a friend or relative based on the patient’s “informal permission.” It’s not clear what informal permission constitutes, but a signed authorization is not required.  What if an ex-spouse in a contentious divorce calls pretending to be the patient? That spouse could, theoretically, get the patient’s records, location and general condition.

Written authorization, on the other hand, is needed to disclose information not otherwise covered by the privacy tule. In those cases, covered entities must have a signed permission slip from the patient that specifies, what, when and to whom the information should be given.

There are 12 national priority purposes that don’t require permission or authorization. They include disease control, abuse cases, and judicial or administrative proceedings to identify a suspect, to ascertain worker’s compensation and more. Since these recipients are not covered entities, they may in turn do whatever they want with the information.  Even psychotherapy notes may be exempt from required authorization if the therapist is being sued.

Numerous entities of all sorts and sizes have paid multimillion-dollar HIPAA settlements . Many lawsuits have been filed in connection with technology lapses, when companies fail to secure data.

Most violations are unintended. They include outside data hacking, carelessness, lack of encryption and improper records disposal. Recently, CVS pharmacy paid $2.5 million to settle a case in which it was accused of tossing health information into a dumpster.

Some violations may be malicious, such as getting inadvertent access to the records of a hospitalized celebrity and then sharing those records online. The American Medical Association lists penalties of up to $1.5 million, but they can be higher: The New York and Presbyterian Hospital paid a $3.3 million fine for disclosing records of 6,800 patients to Google and other
Internet search engines when a computer server was “errantly reconfigured.”

Next I’ll look at how to better manage health-care decisions around HIPAA’s rules.

January 22, 2016

HIPAA, Part I: What it Means to You

Mary MahoneyBY Mary Mahoney

J. Robinson Group Blog

All kinds of practitioners and organizations have been found to use HIPAA as a blanket cover-yourself-from-liability tool.

Among the many documents we receive at hospitals and medical offices is one that details our privacy protections and rights as patients. While many of us may not bother to read it through, this document has changed the way we interact with our personal physicians and other health-care providers.

HIPPA cover sheet with stethoscope on topWe expect a high degree of confidentiality from our doctors. Is that what the form is about? Well, not exactly. The privacy forms are governed by HIPAA, the Health Insurance Portability and Accountability Act of 1996. At first glance, this title does not seem to have anything to do with patients’ rights.

But within HIPAA lies its Privacy Rule. It is not easy to make sense of the bureaucratic maze that is HIPAA. As the U.S. Department of Health & Human Services website explains, “A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being.”

Still sounds vague? In this series, we will explore the pros and cons of HIPAA and how to selectively safeguard or share your medical information. Here are some scenarios to frame the challenges:

  • As concerned family members, we feel we have the right to know if an elderly relative is receiving the right medical care – but do we have the legal right to get involved?
  • As a parent of a young adult with a drug addiction, or perhaps as a spouse of someone with mental health problems, is patient privacy a good thing or a bad thing?
  • Why is it that we can walk into a pharmacy, give a person’s name and date of birth and pick up their prescriptions without being questioned?
  • Is it a HIPAA violation for a group of visitors sitting in a hospital waiting room to share with strangers the medical information of a patient?

These are complex issues both ethically and legally, and, in theory, it is where HIPAA’s Privacy Rule can come into play.

For starters, you only have to comply with HIPAA’s Privacy Rule if you are a covered entity. Many people, including some in the health-care industry, do not know what is and isn’t a covered entity. The covered entity list includes doctors, nursing homes and pharmacies (but only if the relevant information is transmitted in electronic form), health-care clearinghouses and health plans including HMOs, private plans and Medicare.

But all kinds of practitioners and organizations have been found to use HIPAA as a blanket cover-yourself-from-liability tool. In fact, the HIPAA Privacy Rule does not so much protect the patient as much as give permission to the provider to disclose the patient’s information. And these are not exactly the same thing.

To further complicate matters, there are HIPAA state laws. (According to the Department of Health & Human Services website, federal law pre-empts state law if there is a conflict.) The Office for Civil Rights enforces the HIPAA privacy rule, and that is where you could lodge a complaint.

There are many regulations and many exceptions to the regulations – so convoluted that it is almost impossible to summarize. The Code of Federal Regulations Title 45 §164.506 contains some of the statute. The heading “Consent for uses or disclosures to carry out treatment, payment, or health care operations” states that “A covered health-care provider may, without consent, use or disclose protected health information to carry out treatment, payment or health-care operations.” There is a lengthy list of special circumstances and exceptions to the circumstances.

The bottom line is that most of us understand the need for our health-care provider to access our health insurance details to process a claim, get our blood-test results from the independent lab and to order an MRI in conjunction with the radiology department. But beyond that, we may not want our personal information paraded about.

Next, I’ll address the potential misunderstandings and better ways to control our health information.

Latest Blogs