HIPAA Regulatory Alert: How to deal with family members under HIPAA

Facilitywide culture change may be necessary

One of the many challenges facing providers under HIPAA, particularly in the context of oncology, cardiac surgery, and OB/GYN services, involves health care services provided to a family member. The final HIPAA regulations say that if the patient is present, providers can infer from specific circumstances that the patient wants you to share certain information with the spouse or family member. The more difficult question arises when the patient is diagnosed and a family calls the provider, says health care attorney Susan Bonfield of Fox Rothschild in Philadelphia.

Moreover, she says this is a common occurrence. "The problem is that the regulatory allowance that allows a provider to share that kind of information does not apply in the same way if the patient is not physically present in front of the provider," Bonfield explains. For example, a verbal authorization by a spouse over the phone generally is not HIPAA-compliant, she notes.

Bonfield says one way to deal with this problem is through some type of "registration authorization." For example, she says providers might give patients an authorization with checkboxes about what information they are allowed to share with specific family members. Patients then would fill in the rest of the HIPAA-mandated authorization, which would indicate the type of information along with an expiration date or event.

Changing the culture

When using this approach, she says providers should include an expiration date or event. "Oftentimes, there is a term of treatment such as six months for chemotherapy," she points out. "You can also do it on a month-to-month basis to be more specific, but I think it is reasonable to use a course of treatment as an expiration event."

Beyond the simple mechanics involved in questions such as this is the process of changing the culture of an organization. For example, physicians typically walk the patient out and to the front desk, often to schedule the next procedure or appointment, with a waiting room full of patients. Since the physician assumes everyone is there for a similar reason, he or she may not be mindful about what is said. Or the receptionist may be designated to call to confirm appointments. Depending on the amount of information communicated to those patients, this practice may need to be reviewed.

"The point is that everybody is entitled to privacy," she warns. As a result, she says physicians and other providers must learn to conclude the visit in the office. That may mean handing the patient a piece of paper with instructions for the front desk and letting the patient take it to the registration person without the physician verbalizing the information in front of others.

Many organizations maintain they will never get the physicians to change, says Bonfield. However, it is vitally important to get buy-in from management and leadership beforehand so the rest of the staff will follow suit. It will be difficult to impress upon staff that they must embrace HIPAA if the leadership fails to do so.

According to Bonfield, another issue involves the facility’s patient directory. Under HIPAA, she says patients have the right to opt in or out of having their name and their identity included in the facility directory. This largely applies to hospitals, nursing homes, and other entities, she adds.

According to Bonfield, the first operational issue in this regard is how to document when patients say they do not want to be in the facility directory. She says providers can either remove the name from the list of the patients or simply flag it. However, there are some problems associated with the latter approach.

Bonfield suggests that providers script this process out for the person who is at the switchboard. "These are people who until now may not have had a lot of responsibility for decision making and following particular policies or procedures," she explains.

For example, she says providers must know what to do if somebody calls and asks for a patient’s room and a flag shows that the patient wanted to opt out of the directory. "If the name is flagged, and you have them say, I am sorry, I show no record of anyone by that name,’ that is untrue," she points out. "I am not sure you want to put people in that position."

On the other hand, if the operators are vague about in their response, that may only lead to more questions. Since that will place the person at the switchboard in an awkward position, Bonfield says it is probably better to simply remove the names completely from the list of patients. Then the switchboard operator will not be in a compromising position, she explains.

Ultimately, Bonfield says it depends on what kind of computer system the facility is using and what specific information is accessed. She says that it’s essential to train front desk personnel and switchboard personnel, regardless. "They are going to require some specific training," she emphasizes. "You do not want to put them in a position of having to make policy decisions for that facility on an ad hoc basis."

According to Bonfield, this question highlights the broader decision about whether it is easier to take an existing procedure and overlay HIPAA requirements or to take a HIPAA requirement and place existing procedures on top of that. "There are pros and cons to each approach," she says. " One may require more work while the other may require more of a cultural change. I have organizations do it both ways."