How do people use, misuse or abuse Hipaa, the federal regulations protecting patients’ confidential health information? Let us count the ways:
■ Last month, in a continuing care retirement community in Ithaca, N.Y., Helen Wyvill, 72, noticed that a friend hadn’t shown up for their regular swim. She wasn’t in her apartment, either.
Had she gone to a hospital? Could friends visit or call? Was anyone taking care of the dog?
Questions to the staff brought a familiar nonresponse: Nobody could provide any information because of Hipaa.
“The administration says they have to abide by the law, blah, blah,” Ms. Wyvill said. “They won’t even tell you if somebody has died.”
■ Years ago, Patricia Gross, then 56, and a close friend had taken refuge in a cafe at Brigham and Women’s Hospital in Boston, where Ms. Gross’s husband was dying of cancer. She was lamenting his inadequately treated pain and her own distress when a woman seated at a nearby table walked over.
“She told me how very improper it was to be discussing the details of a patient’s treatment in public and that it was a Hipaa violation,” Ms. Gross recalled.
■ In 2012, Ericka Gray repeatedly phoned the emergency room at York Hospital in York, Pa., where her 85-year-old mother had gone after days of back pain, to alert the staff to her medical history. “They refused to take the information, citing Hipaa,” said Ms. Gray, who was in Chicago on a business trip. Learn more about HIPAA E-mail compliant service.
“I’m not trying to get any information. I’m trying to give you information,” Ms. Gray told them, adding that because her mother’s memory was impaired, she couldn’t supply the crucial facts, like medication allergies.
By the time Ms. Gray found a nurse willing to listen, hours later, her mother had already been prescribed a drug she was allergic to. Fortunately, the staff hadn’t administered it yet.
Each scenario, attorneys say, involves a misinterpretation of the privacy rules created under the Health Insurance Portability and Accountability Act. “It’s become an all-purpose excuse for things people don’t want to talk about,” said Carol Levine, director of the United Hospital Fund’s Families and Health Care Project, which has published a Hipaa guide for family caregivers.
Intended to keep personal health information private, the law does not prohibit health care providers from sharing information with family, friends or caregivers unless the patient specifically objects. Even if she does object, is not present, or is incapacitated, providers may use “professional judgment” to disclose pertinent information to a relative or friend if it’s “in the best interests of the individual.”
Hipaa applies only to health care providers, health insurers, clearinghouses that manage and store health data, and their business associates. Yet when I last wrote about this topic, a California reader commented that she’d heard a minister explain that the names of ailing parishioners could no longer appear in the church bulletin because of Hipaa.
Wrong. Neither a church nor a distraught spouse is a “covered entity” under the law.
Last month, Representative Doris Matsui, Democrat of California and co-chairwoman of the Democratic Caucus Seniors Task Force, who has heard similar complaints from constituents, introduced legislation to clarify who can divulge what and under what circumstances. The proposed bill would require the Department of Health and Human Services, which last yearissued new Hipaa “guidance,” to make that statement part of its regulations and to create model training programs for providers and administrators, patients and families.
“A lot of times it’s just misunderstanding what is and isn’t allowed under Hipaa,” Representative Matsui said in an interview.
So, what is and isn’t?
Family members can provide information, as Ms. Gray attempted to do. “How does keeping information confidential stop you from listening to someone?” said Eric Carlson, the directing attorney for Justice in Aging, a legal advocacy group in California. “There’s no Hipaa privacy consideration there.”
An assisted living facility or nursing home can report a death. It can also give someone’s general condition and location, assuming the patient remains within the facility. And if, as Ms. Wyvill suggested, residents ask administrators to keep a list of those who want their neighbors to know they’ve gone to a hospital, that’s perfectly legal under Hipaa.
The law gives providers flexibility in disclosing information in the patient’s interest, but it doesn’t require them to. Clinton Mikel, chairman of anAmerican Bar Association group on e-health and privacy, said that providers sometimes decided, “ ‘We could, but we’re not required to, and we think this situation is a mess, so we’re going to exercise that option.’ ”
A caregiver’s strongest defense, Mr. Mikel said, is to be the patient’s personal representative — his health care proxy or guardian, or with power of attorney — or to have the patient himself authorize the release of information. In such cases, providers must comply.
Hipaa doesn’t require patients to give consent in writing. They can verbally ask that a relative or friend receive information. Facilities may legally demand a signature on a form, nonetheless, and many do.
Staff members’ fears of the consequences of an unintended Hipaa violation are probably overblown. Patients can complain to the Health and Human Services Office for Civil Rights, which lately has intensified enforcement of many aspects of the privacy rules, Mr. Mikel said.
Still, the civil rights office “is not in the gotcha game,” he said. The office generally tries to resolve complaints by fixing problems, not levying penalties.
“Do I see it going after a health care provider for disclosing something to a family member in good faith? I don’t,” Mr. Mikel said. An assisted living staff member or hospital aide isn’t likely to lose her job.
Another common complaint about Hipaa enforcement, by the way, is the lack of access to patients’ own health records, which they have a right to see or copy, though providers can charge copying fees.
Within families, decisions about how much health information to share, and with whom, often become complicated, as a recent study in JAMA Internal Medicine found. When researchers working to design online patient portals convened two sets of focus groups — one for people over age 75, another for family caregivers — they heard the usual tension between older adults’ need for assistance and their desire for autonomy.
“Seniors say, ‘I don’t want to burden my kids with my medical issues,’ ” said Bradley Crotty, the director of patient portals at Beth Israel Deaconess Medical Center in Boston and the study’s lead author. “And the family is saying, ‘I’m already worried. Not knowing is the burden.’ ”
The older group wanted help but not second-guessing or “spying,” Dr. Crotty added. They might agree to disclose the medications they take — just not all of them.
Moreover, the dynamic often changes with increasing disability or a health crisis.
“Say a senior has a serious medical condition — a stroke, for instance — and requires a lot of help and support,” Dr. Crotty said. “He could recover enough to want to take back control of his health information. It may go back and forth.”
Such negotiations require continuing discussions of what patients want to divulge and what families need to know. Personal relationships are tricky terrain.
The law, on the other hand, is comparatively straightforward.
“Providers may be disinclined to give out information anyway, and this provides an easy rationale,” Mr. Carlson, the Justice in Aging lawyer, said. “But Hipaa is more common sense than people give it credit for.”