HIPAA Regulatory Alert
Privacy regulations complicate communication with patients
Balancing confidentiality and safety is a challenge
The privacy regulations enacted as part of the federal Health Insurance Portability and Accountability Act (HIPAA) have caused some unforeseen complications for hospitals trying to ensure patient safety and improve communication between providers and patients, say health care professionals and legal experts.
And as hospitals continue to develop new policies and procedures to comply, it’s important that they carefully examine how their efforts will affect caregiver-patient relationships.
"Some of the good things about HIPAA, obviously, were the enacting of standards to ensure continuity of care and maintenance of insurance coverage while switching jobs and health plans," notes Arnold Rosenbaum, MD, a practicing surgeon and president of Seacrest DocSecurity, a HIPAA consulting firm in Middletown, RI. "But some of the regulations are actually going to impede care in some ways by slowing things down. It is impairing simple communication where there really needs to be communication."
Because HIPAA allows patients to request total or limited anonymity while in the hospital and to have a significant amount of control of over the dissemination of information about their health conditions, most hospitals have done things such as removing the patient names from large boards behind the nurses’ stations and replacing names and other information on wrist bands with bar codes to prevent unauthorized disclosures of information.
While these measures do improve the patient’s confidentiality, they can complicate patient care, Rosenbaum says.
"Hospitals have, in good measure, replaced the patient boards with names in most nursing units with boards that have initials or some other identifier," he explains. "But it can become quite difficult to find your own patient. There are added difficulties to patients requesting anonymity because just finding the patient becomes a significant effort for anyone who has to do it, whether it is a physician, nurse, or technician needing to draw blood. You then have more potential for treating the wrong patient, operating on the wrong patient, etc. You have now this dual purpose in preventing errors and mistakes and in maintaining privacy and confidentiality."
Provider communications with family members — already difficult waters to navigate — are even more complicated now because HIPAA requires that hospitals get written authorization before disclosing information to a third party.
If a patient has established ahead of time that his or her condition can be discussed with a spouse or a child, no problem. However, providers frequently find themselves in other situations, says William J. Spratt Jr., JD, a former health care administrator now a health care attorney with the Miami law firm Kirkpatrick & Lockhart, and vice chair of the Florida Bar Association’s Health Law Certification Committee.
"HIPAA has put some constraints and created some doubt as to what the health care provider can do when they are dealing with a patient who is either incapacitated or in an emergency medical condition," Spratt explains. "They are limited in their disclosure. Basically, they have to make a determination of what is in the best interests of the patient and disclose only the personal health information that is directly related to that person’s involvement."
So if an 85-year-old woman in Miami suffers a heart attack and is taken to the hospital, and the woman’s son in New York calls to speak to the physician, barring any prior authorization from the woman, the physician can only confirm to the family member that the patient is receiving care at the hospital and basic information about the patient’s current condition.
"But they cannot talk about it," Spratt explains. "They can’t say, Mom had a heart attack and we’ve taken a look at it, and it appears to have subsided; she has some weakness of the upper wall.’ They cannot go into that level of detail."
Such efforts to protect the patient may do more harm than good, says Seacrest’s Rosenbaum.
"Open communication — communication with both family and other individuals — frequently is very important in patient care," he notes.
Now, physicians and nurses may feel a dual responsibility — to provide information to worried family members about a patient who may need their support and at the same time to protect their hospital and comply with the privacy protections mandated by federal law.
With no clear guidance, hospital personnel can go overboard with compliance efforts and restrict the flow of information even further than necessary, he adds.
"This issue has not been adequately clarified in the hospitals where I have worked," Rosenbaum says. "There may be a specific form relating to who can be spoken with and who cannot be spoken with, but that is very difficult to work with in the heat of the moment."
The overcompliance problem
In their efforts to comply with the privacy regulations, some facilities have gone overboard and restrict information even when they don’t have to and when the patient wants his or her health information transmitted elsewhere, Spratt notes.
HIPAA allows the free flow of information among covered entities for the purposes of treatment, payment, and health care operations, without prior patient authorization. But some facilities, under the gun to develop compliance plans, have blanket policies that require patient authorization in all instances.
"My wife had a procedure done in the outpatient center of a hospital and requested that the results be forwarded to her physician once the radiologist interpreted the study," Spratt says. "She called and asked them to send it, and they said they needed either a written authorization or she needed to come down there and pick up the results herself. That is basically a covered entity to covered entity and a disclosure for treatment purposes between a hospital and treating physician, but they were being a little overly cautious, I guess. I had to speak with them to assure them that HIPAA certainly allows them to share the results of diagnostic tests with the patient’s physician."
Spratt finds that he frequently has to correct misunderstandings among hospitals and physicians and other providers about the purpose and intent of HIPAA.
"The purpose of HIPAA is not to interfere with the regular ongoing exchange of health care information that is relevant to the common treatment of patients," he notes. "It is really intended more to protect that information from disclosure outside the scope of the treating people and put some limitations on exchange of information between health care providers and insurers so that insurers can’t assemble huge databases on patients that may be used for improper purposes — denying coverage of determining pre-existing conditions, things like that."
HIPAA was enacted because the health care industry was so far behind most other industries in terms of automation and use of electronic data and electronic medical records because of myriad state regulations and an overdependence on paper systems.
"HIPAA was invented to set the stage for facilitating the electronic exchange of information in order to increase efficiency and reduce health care costs by eliminating duplicative testing and things of that sort and to make the information more available to treating physicians and providers so that there may be a reduction in errors because information was not available," Spratt explains.
At the same time, Spratt notes, the federal government was concerned that facilitating the efficient exchange of information would enable the establishment of huge databases of medical information about individuals and that this had a huge potential for abuse.
"This is a recurrent theme in federal regulations," he says. "Any time there is an initiative to aggregate substantial amounts of personal data, this element of Congress raises up and says, No, that’s not what this country is about.’"
So, though the intention of the privacy regulations was to prevent Big Brother from knowing everything about everyone’s medical condition, the real-world impact is that a worried sister might not be able to obtain information about her sick sibling hospitalized across the country.
Further complicating matters, HIPAA allows health care providers to provide information to persons without prior authorization if they are allowed to do so under state laws, but only under the specific provisions under those laws.
The only recourse hospitals have is to ensure that they understand HIPAA and its interaction with the laws in their state and that they develop policies that accurately guide their staff interactions with patients, says Linda Ross, JD, a health law attorney with the law firm of Honigman Miller in Detroit.
"There are already differing laws in differing states that deal with things like confidentiality and patient records and disclosures and subpoenas, etc.," she explains. "Rather than have HIPAA just trump everything, the lawmakers created a system where if the state law is contrary to, but more stringent than, federal law, the state law remains in place."
In Michigan, the health law section of the state bar spent months in committee going over the different provisions in HIPAA and any related statutes in their state to determine which requirements held.
"We created this tool for the state that is available and a guideline that goes through our analysis and decides what requirements hospitals and other entities in the state must do to comply," Ross says.
As people become more educated about and comfortable with HIPAA, much of the confusion and conflicts will die down, she notes. But for now, hospitals must look at everything they do for how the privacy regulations may have an effect.
They must not only develop policies that require personnel to obey the law but also ensure that the policies don’t encourage staff to become so rigid in protecting information that they harm patient relationships or impede patient care.
"Especially things like patient rights — patients have a right to access their records, request amendments, and say, Talk to my husband, but not to my son,’ or Call me on my cell phone, but don’t call me at home," Ross says. "The result is that hospitals need to implement behavioral changes, cultural changes, and administrative changes with how they deal with patient information."
[For more information, contact:
- Arnold Rosenbaum, MD, President, Seacrest DocSecurity, 1272 W. Main Road, Suite 240, Middletown, RI 02842.
- Linda Ross, JD, Honigman, Miller, Schwartz & Cohn, 2290 First National Building, 660 Woodward Ave., Detroit, MI 48226-3583.
- William J. Spratt Jr., JD, Kirkpatrick & Lockhart Miami Center, 20th Floor, 201 S. Biscayne Blvd., Miami, FL 33131-2399.]