In the aftermath of the Orlando shooting, some hospital employees wrongly assumed they couldn’t give out any information about patients due to the Health Insurance Portability and Accountability Act. Patient access employees should know the following:
- The law is more flexible than most people realize.
- Providing information about a patient to family members after a disaster doesn’t necessarily constitute a violation.
- For an investigation to occur, someone has to complain.
A frantic woman runs up to an ED registrar after a mass shooting to ask, “Is my son here?” Many registrars believe that if they answer this simple question, it’s a violation of the Health Insurance Portability and Accountability Act (HIPAA). This belief isn’t correct, says Kirk J. Nahra, JD, an attorney specializing in healthcare compliance at Wiley Rein in Washington, DC.
After the Orlando mass shooting, says Nahra, “hospitals seemed to think they couldn’t tell anyone anything. That is clearly not true.” If the hospitals told people, “Under law, we are not permitted to give out any information,” this is false, he emphasizes.
“We can fault hospitals who say ‘I’m not permitted to answer any questions,’ because that’s clearly not the right answer,” says Nahra. Stating, “We are not going to give out any information,” is more accurate. While hospitals aren’t required by HIPAA to give information, says Nahra, “it’s just not very empathetic and not very helpful.”
In the confusion of a mass casualty disaster, registrars typically refuse to give any information because they’re unclear about exactly what they’re allowed to say. “In contexts like this, sometimes it’s easier to just say ‘no,’” Nahra says. “Hospitals may feel it’s clearly safer to say nothing. Saying nothing can’t violate the privacy rule.”
There is no need to take this hard-and-fast position. “There is clearly more room to be responsive to inquiries,” Nahra says. “Nobody from HHS [the Department of Health and Human Services] was going to penalize somebody for trying to be helpful in this situation.”
Even if a registrar, when trying to answer a frantic family member’s questions, inadvertently discloses some protected health information (PHI), such as a patient’s HIV status or the fact that a patient was intoxicated, it doesn’t necessarily rise to the level of a HIPAA violation.
“If you let it slip in the course of answering questions of a parent, nobody’s going to hit you for that,” says Nahra. “HHS — and this isn’t true of all regulatory agencies — tries really hard to tell when you are trying to do the right thing when you made a mistake. And they are very good at that.”
Where Are the Problems?
Problems occur if the same issue occurs repeatedly and no training was given to staff, says Nahra. Also problematic is behavior that’s particularly egregious, such as posting a patient’s medical records on the Internet in case a parent is looking for them.
If the patient isn’t at the hospital, a legitimate answer is, “we don’t have a patient registered in that name.”
If the patient is at the hospital, “the HIPAA rules are pretty straightforward,” says Nahra. If possible, the registrar should obtain permission from the patient to discuss his or her condition. If the patient is unable to give permission, healthcare providers — or patient access staff members, if they’re the ones fielding the question — should do what they think is reasonable in the particular situation. “There is lots of room in the rules to exercise appropriate professional judgement,” Nahra emphasizes.
What if the person asking about a patient isn’t a family member but, instead, a good friend? “If what I say to them is, ‘I think she’s going to be OK,’ is HHS going to have a problem with that? I really doubt it,” says Nahra. Problems are more likely to occur if the registrar spoke in detail about the patient’s STD or drug overdose, he explains.
There probably would be no way for a registrar to verify an individual’s actual relationship with the patient in the aftermath of a disaster anyway, notes Nahra. It could be that an individual claims to be a patient’s spouse and obtains detailed information on the patient’s condition. “If it turned out they just got divorced, and it was nasty, I can’t guarantee HHS isn’t going to look at it. But historically, I can demonstrate they have never looked at that,” says Nahra.
The patient would have to complain to HHS.
“As long as you made a reasonable judgment, HHS isn’t going to nail you for that,” says Nahra. If investigators found that patient access staff had no training, and that registrars made the same mistake repeatedly, the hospital could have a problem, he explains.
HHS is sensitive to the likely reaction of other hospitals if one is penalized for giving out information during a disaster. “If there is a penalty issue because one hospital answered some questions, I guarantee you nobody will ever answer those questions again,” says Nahra.
Lack of Training
As a result of the Orlando shooting, says Jay Hodes, president of Colington Consulting, a Washington, DC-based firm specializing in HIPAA compliance, “hopefully, there is now more awareness of permitted disclosures under HIPAA.”
HIPAA was not intended to prevent treatment conversations from occurring and impede the care necessary for a patient, Hodes emphasizes. “When there is confusion, it tells me healthcare staff did not receive the proper training to fully understand what is permitted,” he says.
Abner Weintraub, an Oregon City, OR-based consultant specializing in HIPAA compliance, points to several guidance documents from the Office for Civil Rights that address this issue. “Medical providers, hospitals, and clinics have far more freedom and discretion to lawfully share patient data than most people realize, as these documents make abundantly clear,” says Weintraub. (Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care can be accessed at http://1.usa.gov/28N0H8V. Also see related story in this issue on what patient access can disclose to law enforcement.)