Going too far with HIPAA compliance threatens care provided to patients
Overzealous individuals can become the HIPAA police’
Healthcare providers have spent years grappling with how to comply with the Health Insurance Portability and Accountability Act (HIPAA), with most of the focus on training clinicians and staff about the dangers of too freely providing protected health information (PHI). Now a new worry is emerging as some providers take HIPAA compliance too far and threaten patient care.
A recent report from the Bipartisan Policy Center, a think tank in Washington, DC, raised the alarm that HIPAA is too far-reaching and "often misunderstood, misapplied and over-applied in ways that may inhibit information sharing unnecessarily." (See the story on p. 3 for more on that report.)
The problem can occur in many healthcare settings, but the IT department is a common source. Some hospital IT departments see themselves as "the HIPAA police" and clamp down in ways that HIPAA doesn’t require, says Abraham Gutman, CEO of AG Mednet, a Boston-based company that assists providers with communication of clinical trial data. Gutman specializes in the de-identification of patient information specific to clinical trials, and he says that with everyone acting as a judge of what HIPAA requires, clinical research and patient care are impeded.
IT departments should publish guidelines on proper HIPAA interpretation to encourage collaboration instead limiting it out of fear, he suggests. The guidelines should explain what is possible in moving data, rather than only focusing on what is prohibited. Explain clearly what safeguards, such as encryption or de-identification, are necessary so that IT managers are willing to try to say "yes" instead of automatically saying "no."
"In my experience the IT departments are among the least knowledgeable about how to comply with HIPAA, but what they do understand is that a breach traced back to them would have very severe consequences," Gutman explains. "Consequently they take the most conservative approach. Nothing can get out, and nothing can get in."
The IT department, however, is sometimes seen by others as authoritative on HIPAA because it is in charge of data transfer. In that case, the IT department’s overreaction is passed on to other departments and individuals, eventually creating a culture in the organization that is not based on an accurate HIPAA interpretation but nonetheless hinders data sharing, Gutman explains. (See the story on p. 3 for an explanation of how the IT department might capitalize on confusion over HIPAA compliance.)
"It hinders through fear. There is so much fear among the doctor and nurse population that people don’t even ask if they can move some data," Gutman says. "They assume from past experience that the exchange will never be approved, so they might as well not ask."
Educate rather than scaring employees
Risk managers, compliance officers, and other administrators should consider whether they are merely scaring employees about HIPAA violations or educating them about the true spirit of the law, suggests Stephen Cobb, senior security researcher with ESET, a company based in San Diego that provides IT security for healthcare providers. HIPAA was never intended to prohibit valid data exchanges, but years of scare tactics have made employees fearful, he says.
"What we have ended up with, unfortunately, is a system of compliance that is diametrically opposed to the idea of providing healthcare," Cobb says. "There are some threats to healthcare data, but most of the information threats are for general information rather than people seeking out healthcare data in particular," he says.
Cobb says he is sympathetic with healthcare IT professionals who may be too strict, because they tend to be on the leading edge of understanding what threats exist and how to resist them. Limiting access to data is always key, so he advises working closely with IT staff to develop reasonable policies. "You have to find a way to rein them in if they are going too far, but without diminishing their enthusiasm for security," Cobb says.
Institutions can be guilty of writing HIPAA policies that are overly strict, but more often the problem lies with individuals who do not know the policies or are overzealous in their interpretation, Gutman says. In particular, employees should be reminded that the patient owns the PHI, not the hospital, he says. Clinical trial participants, for example, explicitly allow the sharing of their information for the purposes of the research, yet some healthcare staff still worry that HIPAA might trump that permission, Gutman says. It doesn’t.
"It is important to explain what kinds of data exchanges can be made, with no worries about HIPAA, in all cases as long as these certain criteria are met," Gutman says. "And they must be empowered to act affirmatively in those situations instead of asking someone else’s opinion. Once you ask someone else, you’re likely to have people say no’ just to cover themselves."
Individuals fear criminal, civil penalties
Over interpretation of HIPAA became more common in 2013, when HIPAA was amended in an Omnibus Rule that was intended, in large part, to increase certain protections to individuals and for individuals to have greater access to their information, explains Lani M. Dornfeld, JD, an attorney with the law firm of Brach Eichler in Roseland, NJ.
The changes also included stiffer penalties for HIPAA violations, including increased money penalties, which triggered covered healthcare providers to amend their HIPAA policies and procedures and re-train staff, she says.
"Although this re-enforced the healthcare industry’s obligation to protect patient privacy, it also engendered fear in individual healthcare providers and their staff," Dornfeld says. "They fear both the monetary penalty provisions as well as the criminal penalty provisions of the law. The result is that providers sometimes overshoot. They err on the side of what they believe to be greater protection to the individual who is the subject of the protected health information."
That response sometimes leads to blocking information from others who have a legal right to access such information and whose access would be beneficial to the individual/patient, such as clinicians and administrators.
Staff often misinterpret HIPAA’s provisions regarding the amount of information that may be provided to family members and friends involved in a patient’s care or in payment for care, as well as what information may be provided to family and friends after a patient’s death, Dornfeld says. (See the story below for more information on difficult situations.)
Publicity about HIPAA violations encourage fear and overreaction, says Patricia Wagner, JD, an attorney with the law firm of Epstein Becker Green in Washington, DC. That reaction is especially prevalent if well-meaning hospital administrators make a point of bringing the incident to staff’s attention and reminding them about the need to comply with HIPAA.
"Every incident in the news about HIPAA ratchets up the angst a little more, and people become more cautious," she says.
- Stephen Cobb, Senior Security Researcher, ESET, San Diego. Telephone: (619) 203-8317. Email: Stephen.email@example.com.
- Lani M. Dornfeld, JD, Brach Eichler, Roseland, NJ. Telephone: (973) 403-3136. Email: firstname.lastname@example.org.
- Abraham Gutman, CEO, AG Mednet, Boston. Telephone: (855) 246-3363.
- Patricia Wagner, JD, Epstein Becker Green, Washington, DC. Telephone: (202) 861-4182. Email: email@example.com.